'[jira] [Commented] (WSS-520) Searching in wrong path for the message.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       jaxme-dev
Subject:    [jira] [Commented] (WSS-520) Searching in wrong path for the message.
From:       "Philip Helger (Jira)" <jira () apache ! org>
Date:       2022-05-09 9:48:00
Message-ID: JIRA.12760452.1418135021000.81529.1652089680071 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533726#comment-17533726 \
] 

Philip Helger commented on WSS-520:
-----------------------------------

This problem occurs, if the signing certificate in the keystore is a key entry, that \
is not having the full chain in it.

See the following screenshot from KeyStore explorer with a broken key entry:

!image-2022-05-09-11-42-05-503.png!

To correct the error, the addition of a hierarchy is needed. Then the key entry \
details should look like this:

!image-2022-05-09-11-44-14-940.png!

Of course using the correct "chain" and not the one depicted in the image.

The latest version of Keystore explorer has a nice feature to easily append a \
certificate to the chain:

!image-2022-05-09-11-46-06-921.png!

From the above example, first append the "TeleSec Business CA 21" trusted \
certificate, and then the "T-TeleSec GlobalRoot Class 2" certificate. Repeat this \
game until you are at the top. Don't forget to save your keystore afterwards.

> Searching in wrong path for the message.
> ----------------------------------------
> 
> Key: WSS-520
> URL: https://issues.apache.org/jira/browse/WSS-520
> Project: WSS4J
> Issue Type: Bug
> Reporter: renu
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Attachments: image-2022-05-09-11-42-05-503.png, image-2022-05-09-11-44-14-940.png, \
> image-2022-05-09-11-46-06-921.png 
> 
> Getting exception:
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with ID \
> "certpath" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". \
> Original Exception was a java.security.cert.CertPathValidatorException and message \
> basic constraints check failed: this is not a CA certificate  Original Exception \
> was java.security.cert.CertPathValidatorException: basic constraints check failed: \
> this is not a CA certificate  at \
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:933)  at \
> org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:108) \
>  at org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64) \
>  at org.apache.wss4j.dom.validate.SamlAssertionValidator.verifySignedAssertion(SamlAssertionValidator.java:130) \
>  at org.apache.wss4j.dom.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:109) \
>  Instead of searching the message in the resource bundle of wss4j , message is \
> searched in xml security and thus causing the exception.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic